3 Summary For the last decade organizations have been trying to protect their networks by building defenses across the borders of their network. This includes the Internet edge, perimeter, endpoint, and data center (including the DMZ). This outside-in approach has been based on the concept that companies can control clearly defi ned points of entry and secure their valuable assets. The strategy was to build a border defense as strong as possible and assume nothing got past the fi rewall. As organizations grow and embrace the latest IT technology such as Mobility and Cloud the traditional network boundaries are becoming increasingly complex to control and secure. There are now many different ways into an enterprise network. Not long ago, fi rewall vendors marked the ports on their appliances External (Untrusted) and Internal (Trusted). However, advanced threats use this to their advantage because, once inside, the network is very fl at and open. The inside of the network usually consists of non-security aware devices such as switches, routers and even bridges. So once you gain access to the network as a hacker, contractor or even rogue employee, then you get free access to the entire enterprise network including all the valuable assets. Key Requirements COMPLETE PROTECTION Continuous inside-out protection against advanced threats with a single security infrastructure EASY DEPLOYMENT Default Transparent Mode means no need to re-architect the network and centrally deployed and Managed HIGH PERFORMANCE Multi-gigabit performance supports wire speed East-West traffi c The solution is a new class of fi rewall Internal Network Firewall (INFW), that sits at strategic points of the internal network. It may sit in front of specifi c servers that contain valuable intellectual property or a set of user devices or web applications sitting in the cloud. 3

4 Once in place, the INFW must provide instant visibility to traffi c traversing into and out of that specifi c network asset. This visibility is needed instantly, without months of network planning and deployment. Most importantly the INFW must also provide protection because detection is only a part of the solution. Sifting through logs and alerts can take weeks or months; the INFW needs to deliver real-time protection based on the latest security updates. Finally, the INFW must be fl exible enough to be placed anywhere within the internal network and integrate with other parts of the enterprise security solution under a single pane of management glass. Other security solutions can also provide additional visibility and protection. This includes the gateway, web gateway, border fi rewalls, cloud fi rewalls and endpoints. Further, Internal Network Firewalls need to scale from low to high throughputs allowing deployment across the global network. Advanced Threats Take Advantage of the Flat Internal Network Cybercriminals are creating customized attacks to evade traditional defenses, and once inside, to avoid detection and enable egress of valuable data. Once inside the network there are few systems in place to detect or better still protect against APTs. It can be seen from the threat life cycle in Figure 1 that once the perimeter border is penetrated, the majority of the activity takes place inside the boundary of the network. Activities include disabling any agent-based security, updates from the botnet command and control system, additional infection/recruitment and extraction of the targeted assets. FIGURE 1 ADVANCED THREAT LIFE CYCLE Scan for vulnerabilities Design phishing s Customize malware, etc. External Internal Social Engineering Zero Days Exploits Malicious URLs Malicious Apps, more 1 Threat Vector Infection 2 Threat Production + Recon APP URL 4 Extraction Communication 3 Disposal Package & Encrypt Stage Hide, Spread, Disarm, Access, Contact Botnet C&C, Update 4

5 The Answer is a New Class of Firewall Internal Network Firewall (INFW) Most firewall development over the past decade has been focused on the border, the Internet edge, perimeter (host firewall), endpoint, data center (DMZ) or the cloud. This started with the stateful firewall but has evolved to include Unified Threat Management (UTM) for distributed networks, which brought together the firewall, intrusion detection and antivirus. Later came the Next Generation Firewall (NGFW), which included intrusion prevention, and application control for the Internet edge. More recently because of the huge increase in speeds, Data Center Firewalls (DCFW) have arrived to provide more than 100Gbps of throughput. All of these firewalls have in common an approach designed to protect from the outside-in. For rapid internal deployment and protection, a new class of firewall is required Internal Network Firewall (INFW). The Internal Network Firewall has some different characteristics when compared to a border firewall. The differences are laid out in figure 2. The INFW needs to provide complete protection The first element of security is visibility. And visibility is only as good as network packet knowledge. What does a packet stream look like for a specific application, where did it come from, where is it going, even what actions are being taken (download, upload ). The second and equally important element is protection. Is the application, content or actions malicious? While this is very difficult across different content and application types, it is an essential part of the INFW. The ability to detect a malicious file, application or exploit gives an enterprise time to react and contain the threat. All of these protection elements must be on a single device to be effective. Both visibility and protection are heavily reliant on a real time central security threat intelligence service. A question that always needs to posed how good is the visibility and protection. Is it keeping up with the latest threats? That s why all security services should be measured on a constant basis with 3rd party test and certification services. FIGURE 2 FIREWALL TYPE DIFFERENCES Deployment Mode INFW NGFW DCFW UTM CCFW Purpose Visibility & protection for internal segments Visibility & protection against external threats and internet activities High performance, low latency network aprotection Visibility & protection against external threats and user activities Network security for Service Providers Location Access Layer Internet Gateway Core Layer/DC Gateway Internet Gateway Various Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode Hardware Requirements Higher port density to protect multiple assets GbE and 10GbE ports High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration High GbE port density, integrated wireless connectivity and POE High speed (GbE/10 GbE/40 GbE) & high port density, hardware acceleration Security Components Firewall, IPS, ATP, Application Control (User-based) Firewall, VPN, IPS, Application Control Firewall, DDoS protection Comprehensive and extensible, client and device integration Firewall, CGN, LTE & mobile security Other Characteristics Rapid Deployment near zero configuration Integration with Advanced Threat Protection (Sandbox) High Availability Different WAN Connectivity Options such as 3G4G High Availability 5

6 The INFW needs to provide easy deployment The INFW must be easy to deploy and manage. Keeping it simple for IT means being able to deploy with minimum configuration requirements and without having to re-architect the existing network. The INFW must also be able to protect different types of internal assets placed at different parts of the network. It could be a set of servers containing valuable customer information or a set of endpoint devices that may not be able to be updated with the latest security protection. Additionally the INFW must be able to integrate with other parts of the enterprise security solution. Other security solutions can also provide additional visibility and protection. This includes the gateway, web gateway, border firewalls, cloud firewalls and endpoints. This all needs to be managed with a single pane of glass approach. This allows security policies to be consistent at the border, inside the network and even outside the network in clouds. Additionally, traditional firewalls are usually deployed in routing mode. Interfaces (ports) are well defined with IP addresses. This often takes months of planning and deployment. This is valuable time in today s instant cyber attack world. An INFW can be deployed in the network rapidly and with minimum disruption. It must be as simple as powering on a device and connecting. It must be transparent to the network and application. The INFW needs to provide wire-speed performance Because internal network firewalls are deployed in-line for network segmentation, they must be very high performance in order to meet the demands of internal or East/West traffic, and to ensure they do not become a bottleneck at these critical points. Unlike firewalls at the border which deal with Wide Area Network (WAN) access or Internet speeds of less than 1 gigabit per second, internal networks run much faster multi-gigabit speeds. There, INFWs need to operate at multi-gigabit speeds and be able to provide deep packet/ connect inspection without slowing down the network. INFW Technology Requirements A Flexible Network Operating System Almost all firewall deployments modes require IP allocation and reconfiguration of the network. This is known as network routing deployment and provides traffic visibility and threat prevention capabilities. At the other end of the spectrum is sniffer mode, which is easier to configure and provides visibility, but does not provide protection. Transparent mode combines the advantages of Network Routing and Sniffer modes it provides rapid deployment and visibility plus, more importantly, protection. The differences are summarized in Figure 3. FIGURE 3 FIREWALL TYPE DIFFERENCES Deployment Mode Network Routing Deployment Complexity Network Functions High Availability Traffic Visibility High L3-Routing Transparent Low L2-Bridge Sniffer Low X X 4 X Transparent mode combines the advantages of Network Routing and Sniffer mode. So it provides rapid deployment and visibility plus more importantly, protection. The differences are summarized in Figure 3. Threat Protection A Scalable Hardware Architecture Because internal networks run at much higher speeds the INFW needs to be architected for multi-gigabit protection throughput. Although CPU-only based architectures are flexible they become bottlenecks when high throughput is required. The superior architecture still uses a CPU for flexibility but adds custom ASICs to accelerate network traffic and content inspection. Because the INFW is deployed in closer proximity to the data and devices, it may sometimes need to cope with harsher environments. Availability of a more ruggedized form factor is therefore another requirement of INFWs. 6

7 Network Segmentation High Speed Integrated Switching An evolving aspect of transparent mode is the ability to physically separate subnetworks and servers via a switch. Firewalls are starting to appear on the market with fully functional, integrated switches within the appliance. These new fi rewalls, with many 10GbE port interfaces, become an ideal data center top-of-rack solution, allowing servers to be physically and virtually secured. Also, similar switch-integrated fi rewalls with a high density of 1GbE port interfaces become ideal for separation of LAN subsegments. INFWs should be able to fulfi ll both of these roles, and as such should ideally have fully functional, integrated switching capabilities. Network Wide INFW Deployment Example Most companies have set up border protection with fi rewalls, NGFWs and UTMs. These are still critical parts of the network protection. However to increase the security posture, Internal Network Threat Protection Firewalls can be placed strategically internally. This could be a specifi c set of endpoints where it is hard to update security or servers where intellectual property is stored. Real-time Security Internal Network Firewalls must be able to deliver a full spectrum of advanced security services, including IPS, application visibility, antivirus, anti-spam, and integration with cloud-based sandboxing, allowing for the enforcement of policies that complement standard border fi rewalls. This realtime visibility and protection is critical to limiting the spread of malware inside the network. FIGURE 4 INTERNAL NETWORK FIREWALL (INFW) DEPLOYMENT Endpoint Campus INTERNAL INFW INFW Edge Firewall (NGFW) CLOUD Virtual INFW Applications INTERNET INTERNAL Data Center Firewall (DCFW) INFW INFW Data Center Branch Unified Threat Management (UTM) INTERNAL 7

8 Segment INFW Deployment Example The INFW is usually deployed in the access layer and protects a specifi c set of assets. Initially the deployment is transparent between the distribution and access switches. Longer term the integrated switching could take the place of the access and distribution switch and provide additional physical protection. FIGURE 5 INTERNAL NETWORK FIREWAL (INFW) DEPLOYMENT DISTRIBUTION/ CORE LAYER To Internet Core/Distribution Switch FortiGate wire intercept using transparent port pair Conclusion Advanced Threats are taking advantage of the fl at Internal network. Once through the border defense there is little to stop their spread and eventual extraction of valuable targeted assets. Because traditional fi rewalls have been architected to slower speeds of the Internet Edge its hard to deploy these security devices internally. And fi rewall network confi guration deployments (IP addresses) take a long time to deploy. Internal Network Firewalls are a new class of fi rewall that can be deployed rapidly with minimum disruption while keeping up the multi-gigabit speeds of internal networks. Instant visibility and protection can be applied to specifi c parts of the internal network. Access Switch / VLAN High speed interface connectivity IPS, ATP & App Control LOCAL SERVERS USER NETWORK DEVICES ACCESS LAYER GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA United States Tel: EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: APAC SALES OFFICE 300 Beach Road The Concourse Singapore Tel: LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P Del. Alvaro Obregón México D.F. Tel: (55) Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identifi ed product will perform according to certain expressly-identifi ed performance metrics and, in such event, only the specifi c performance metrics expressly identifi ed in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

SOLUTION BRIEF Fortinet s Solution for the Enterprise Campus High Performance Next Generation Firewall Today s enterprises are increasingly looking to upgrade security at the edge of their networks. This

5 ½ Things That Make a Firewall Next Gen WHITE PAPER 5 ½ Things That Make a Firewall Next Gen Table of Contents Introduction 3 #1: Application Awareness and Control 3 #2: User Identity Awareness and Control

DATA SHEET FortiGate 100D Series Integrated Security for Small and Medium Enterprises FortiGate 100D Series FortiGate 100D, 140D, 140D-POE and 140D-POE-T1 In order to comply with legislation and secure

WHITE PAPER Building a Security Fabric for Today s Network Enterprise Firewall Solutions Must Be as Borderless as the Enterprise Security professionals at large enterprises worry about the expanding attack

FortiGuard Global Security Research & Services www.fortinet.com Fortinet s Own Threat Intelligence & Response for Real-Time Protection Fortinet is the only network security vendor to have its own global

WHITE PAPER Internal Segmentation Firewalls for the Healthcare Industry Introducing a New Approach to Securing Healthcare IT Internal Segmentation Firewalls for the Healthcare Industry Introducing a New

Transforming Your WiFi Network Into A Secure Wireless LAN A FORTINET WHITE PAPER Introduction There have been a number of moments in the IT and network industry that can be considered as a Paradigm Shift.

Driving Agility and Security with Data Center Consolidation WHITE PAPER Introduction Enterprises must become more agile while controlling costs to stay competitive. The true value of IT lies in its ability

SOLUTION BRIEF Keeping the Store Open: Fighting the Cyber Criminal in the Retail World Pain Points of the Typical Retail Network CONNECTIVITY Introduction As the most recent wave of attacks have confirmed,

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used

WHITE PAPER Empowering the MSSP Part 2: End To End Security Services Ecosystem Introduction Responding to Real World Customer Needs An increasing number of SMBs and enterprises plan to spend more of their

Securing Next Generation Education A FORTINET WHITE PAPER Introduction Over the past 20 years the education sector has gone through major transformation. It has evolved from a world of individual and largely

Overview Fortinet pioneered an innovative, high performance network security solution that addresses the fundamental problems of an increasingly bandwidth-intensive network environment and a more sophisticated

The Evolution of the Enterprise And Enterprise Security Introduction Today's enterprise is evolving rapidly, with new technologies such as consumer-grade mobile devices, internet-based applications and

SOLUTION GUIDE Hybrid WAN Solutions with FortiWAN The cost-effective way to deliver the WAN bandwidth and redundancy your organization demands Overview Almost every organization faces the need for increased

White Paper Place graphic in this box The ABCs of ADCs The Basics of Server Load Balancing and the Evolution to Application Delivery Controllers Introduction Whether you need to expand an application from

WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

Lowering The Costs Of High Performance Network Security For Retail Chains A FORTINET WHITE PAPER Introduction Retail remains among the top 3 industries to be targeted by cyber criminals, who are particularly

WHITE PAPER Empowering the MSSP Part 1: Real World Customer Needs Introduction MSSP Foundations for Success An increasing number of companies plan to spend more of their budget with managed security service

Fortinet s Partner Programme FortiPartner Australia New Zealand A true partnership The goal of the Fortinet FortiPartner Programme is to enable you to successfully achieve unprecedented growth and profit

Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

Achieve Deeper Network Security Dell Next-Generation Firewalls Abstract Next-generation firewalls (NGFWs) have taken the world by storm, revolutionizing network security as we once knew it. Yet in order

WHITE PAPER Empowering the MSSP Part 3: Monetizing Fortinet s Ecosystem in a Multi-Tenant Cloud Service Introduction As discussed in part 1 of our Empowering the MSSP series, the Managed Security Services

Virtualization. Consolidation. Simplification. Choice. WHITE PAPER Virtualized Security: The Next Generation of Consolidation Virtualized Security: The Next Generation of Consolidation As we approach the

White Paper ZyWALL USG Trade-In Program Table of Contents Introduction... 1 The importance of comprehensive security appliances in today s world... 1 The advantages of the new generation of zyxel usg...

Purchase and Import a Signed SSL Certificate Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,

WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers.

The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery